We always expected the GDPR to be a game changer in terms of raising the risk profile (and reputational impact) of data and cyber breaches, something demonstrated with yesterday’s news of the ICO’s intention to fine BA £183 million for its data breach.
However, it was harder to predict the impact of damaging headlines like the Cambridge Analytica scandal, which have dented the public’s trust in how organisations (both large and small) protect our data.
And while the volume of data breaches means they are no longer guaranteed to dominate the headlines in the same way they did a few years ago unless large fines are involved, their impact on an organisation’s reputation can nevertheless be severe.
Richard Jeens, a partner in our Cyber Advisory Team, recently spoke on a Deloitte panel discussing the reputational challenges raised by data breaches. Richard says: “having worked on a number of complex data breaches, it is clear how important the comms role is [to clients] – not only doing the right thing, but being seen to do the right thing, is vital if you want to mitigate the legal and reputational impact of a breach. However, the regulatory landscape is becoming increasingly complex, and it is therefore vital that pragmatic legal analysis sits at the heart of any breach response.”
Richard cited a number of developments in the regulatory landscape which reinforce this. As well as upcoming fines (we are expecting the first big GDPR fines from the Irish data protection regulator, as well as further fines from the ICO, this summer), there remains the spectre of liability from claimants - we heard recently, for example, that the Morrisons appeal to decide whether it is liable for the deliberate leaking of employee payroll data by a rogue employee will be heard this November.
Increasing regulation on a global level (for example new laws in Brazil and, to some extent, the CCPA) adds another layer of complexity.
Preparing for and responding to any breach therefore has to take into account the short and long term legal risks, as well as incorporating a sophisticated, joined up communications strategy, to preserve an organisation’s reputation.
Not only doing the right thing, but being seen to do the right thing, is vital if you want to mitigate the legal and reputational impact of a breach